6
Introduction - Motivation Many of the attacks are motivated by mischief or spite, others are likely born out of religious, ethnic or political tensions, and still others have been clearly focused around commercial gain. 6

7
Introduction - Problems There is little quantitative data about the prevalence of these attacks nor any representative characterization of their behavior. Obstacles hampering the collection of an authoritative DoS traffic dataset: – ISPs consider such data sensitive and private – Measuring Internet-wide attacks presents a significant logistical challenge. 7

15
Methodology - Backscatter Analysis During an attack of m packets, the p of 1 given host receiving at least 1 unsolicited response from the victim is If 1 monitors n distinct IP addresses, then the expected p of observing at least 1 packet from the attack is 15

16
Methodology - Backscatter Analysis The expected number of unsolicited responses seen during an attack of m packets at a single host is The expected number of monitoring n distinct IP addresses, the responses seen is 16

17
Methodology - Backscatter Analysis Use the average arrival rate of unsolicited responses directed at the monitored address range to estimate the actual rate of the attack being directed at the victim: 17

20
Methodology - Analysis Limitations Reliable Delivery – Packets may be queued and dropped. from the attacker from victim – Packets may be filtered or rate-limited by firewall or intrusion detection software. – Some forms of attack traffic (e.g. TCP RST messages) do not typically elicit a response. 20

25
Extracting Backscatter Packets Remove – packets involving legitimate hosts – packets that do not correspond to response traffic – traffic from hosts that use TCP RST packets for scanning – duplicate packet with the same flow tuple in the last five minutes 25

26
Flow-Based Classification Flow-Based Identification – Flow is a series of consecutive packets sharing the same victim IP address. – The first packet seen for a victim creates a new flow. – If the packets arrive at the telescope from that victim within a fixed timeout relative to the most recent packet in this flow, we associate these packets with that flow. 26

33
Interesting Features No strong diurnal patterns. Rate of attack doesn’t change significantly over the period of time. Attacks were not clustered on particular subnets. Exhibits daily periodic behavior. At the same time everyday, attack increases from est. 2,500 pps to 100,000-160,000 pps. Attack persists for one hour before subsiding again. Tuesdays off (suggests attacks are scripted). 33

34
Attack Classification Attack Protocols – The vast majority of attacks (93%) and packets (88%) use TCP – 2.6% used ICMP – Most popular services targeted are HTTP (port 80), IRC (6667), port 0, and Authd (113) Attack Rate – 500 SYN pps is enough to overwhelm a server – 65% of attacks had an estimated rate of this rate or higher – A server can be disabled by a flood of 14,000 pps – 4% of attacks would compromise these attack-resistant firewalls Attack Duration – 60% attacks less than 10 min – 80% are less than 30 min – 85% last less than 1 hr – 2.4% are greater than 5 hrs – 1.5% are greater than 10 hrs – 0.53% span multiple days 34

36
Victim Type roughly half of the victims are broadband users slightly less than 10% are dial-up 5–10% of the victims are located on educational networks a small number of victims appear to be Internet hosting centers the majority of victims of the attacks are home users and small businesses a significant number of attacks against victims running IRC many reverse DNS mappings have been clearly compromised by attackers (e.g. “is.on.the.net.illegal.ly”). a small but significant fraction of attacks directed against network infrastructure Over 1.3% of attacks target routers 1.7% target name servers 36

38
Victims of Repeated Attacks most victims (89%) were attacked in only one trace (typically spanning roughly one week) most of the remaining victims (7.8%) appear in two traces victims can appear in multiple traces because of attacks that span trace boundaries 74% of the victims in each trace were targeted only during the collection of that trace a small percentage of victims (3%) appear in more than three traces 38 Trace: attack that covers a week or more)

39
Validation Nearly all of the packets are attributed to backscatter that does not itself provoke a response (e.g. TCP RST, ICMP Host Unreachable) Distribution of destination addresses is consistent with a uniform distribution at the 0.05 significance level. Data from several university-related networks in Northern California and Asta Networks qualitatively confirmed it. 39

40
Conclusion presented a new technique, “backscatter analysis,” for estimating DoS attack activity in the Internet observed widespread DoS attacks in the Internet witnessed over 68,000 attacks the size and length of the attacks were heavy-tailed a surprising number of attacks directed at a few foreign countries, at home machines, and towards particular Internet services 40

About project

Feedback

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.